cancel
Showing results for 
Search instead for 
Did you mean: 

access controls on su

skt_skt
Honored Contributor

access controls on su

In Linux, following files controle the su access

# ll /etc/security/su*
-rw-r--r-- 1 root root 8 Feb 15 2006 /etc/security/suapplmgr
-rw-r--r-- 1 root root 7 Feb 15 2006 /etc/security/suoracle
-rw-r--r-- 1 root root 5 Feb 15 2006 /etc/security/suroot

is there an equivalent in HP-UX or an alternate method!


4 REPLIES
Tim Nelson
Honored Contributor

Re: access controls on su

As far as I know.

1) su access is only limited to knowing the password of who you are su'ing to

2) if not root then permissions are controlled by standard file permissions and some directives defined in /etc/defaults/security

3) I see others typically use sudo (3rd party app) for this purpose.

man su
or
man security

for more.

Srini Jay
Valued Contributor

Re: access controls on su

To control who can 'su - root', you can do the following:

1) Create a unique group (say 'some_unique_group')

2) add the following line to /etc/default/security file:
SU_ROOT_GROUP=some_unique_group

3) add the users who should should be allowed to do 'su root' to this group:

in file /etc/group:

some_unique_group::GID:user1,user2,user3...


Not sure if there is a way restrict 'su' to other non-root account.

thanks,
sj


VK2COT
Honored Contributor

Re: access controls on su

Hello,

a) The method you showed in Linux is based
on PAM.

Since HP-UX supports PAM, I guess it
is possible to do it. In fact,
when I get back from a business trip in two
weeks, I will try it myself.

b) The second option would be SUDO with SUDOSH.

That one I have implemented for a large
company running Solaris, Linux and HP-UX.

c) Finally, if you use HP-UX 11.23 or 11.31,
go for Role Based Access Control (RBAC).

Such a good tool, used so little in HP-UX.
Pity.

Cheers,

VK2COT



VK2COT - Dusan Baljevic
skt_skt
Honored Contributor

Re: access controls on su


[ghosha@/home/ghosha] #su -
Password:
Last successful login for root: Fri Jan 23 09:48:35 EST5EDT 2009
Last unsuccessful login for root: Thu Jan 22 12:04:28 EST5EDT 2009
su: Not a member of the SU_ROOT_GROUP defined in /etc/default/security
[ghosha@/home/ghosha] #

su to root account is prevented if the users are NOT members of easroot. But NOT available for any other accounts.